Just because you have cyber insurance, it doesn’t mean you are guaranteed a payout in the event of an incident. You may not have the proper coverage for certain types of cyberattacks, or you might have fallen out of compliance with your policy’s security requirements. It is critical to carefully review your policy and ensure your business is adequately protected.
Learn from the past
Cottage Health vs. Columbia Casualty
Following a data breach at Cottage Health System, they notified their cyber insurer, Columbia Casualty Company, and filed a claim for coverage.
However, Columbia Casualty sought a declaratory judgment against Cottage Health, claiming that they were not obligated to defend or compensate Cottage Health because the insured did not comply with the terms of their policy. According to Columbia Casualty, Cottage Health agreed to maintain specific minimum risk controls as a condition of their coverage, which they failed to do.
BitPay vs. Massachusetts Bay Insurance Company
BitPay, a leading global cryptocurrency payment service provider, filed a $1.8 million insurance claim, which Massachusetts Bay Insurance Company denied. The loss was caused by a phishing scam in which a hacker broke into the network of BitPay's business partner, stole the credentials of the CFO of BitPay, pretended to be the CFO of BitPay, and requested the transfer of more than 5,000 bitcoins to a fake account.
Massachusetts Bay Insurance stated in its denial that BitPay's loss was not direct and thus was not covered by the type of policy purchased by BitPay since it involved the phishing of a business partner. This case emphasizes the importance of carefully reviewing insurance policies to ensure you understand what scenarios are covered.
International Control Services vs. Travelers Property Casualty Company
Travelers Property Casualty Company requested a district court to reject International Control Services' ransomware attack claim. The company argues that International Control Services failed to properly use multifactor authentication (MFA), which was required to obtain cyber insurance. Travelers Property Casualty Company claims that International Control Services falsely stated on its policy application materials that MFA requires employees and third parties to access email, log into the network remotely, and access endpoints, servers, etc. They stated that International Control Services was only using the MFA protocol on its firewall and that access to its other systems, including its servers, which were the target of the ransomware attack in question, were not protected by MFA.
Don't be late to act
These cases are a cautionary reminder of the importance of reading your cyber insurance policies, understanding what they contain, and adhering to their terms. Insurers are increasingly scrutinizing businesses' cybersecurity practices; therefore, you must understand your cybersecurity posture.
Denied payouts from cyber insurance policies could stem from naive errors, such as misinterpreting difficult-to-understand insurance jargon or due to poor cybersecurity policy implementation. Sydow Inc. can help you avoid these problems by working with you to assess your risks and develop a comprehensive cybersecurity plan. Contact us for a no-obligation consultation.
Click here to learn more and download“What Every Business Needs to Know About Cyber Insurance."